Crispin Cowan wrote: > So Shane should be able to achieve his goals through any one of several > different paths: > > * use POSIX capabilities to grant the particular privs desired to some > non-root daemons > * use your favorite restrictive module (SubDomain, LIDS, Janus, SELinux, > etc.) to restrict some root daemon to only the activities it needs to do > its job During the POSIX specification process is was noted that a new access control scheme can either offer an Alternative policy or an Additional policy. The POSIX ACL scheme is an example of the former, although is tries desperately to qualify as the later. The POSIX Mandatory Access Control (MAC) scheme, on the other hand, is strictly additional. The oft meligned Capability scheme is an Alternative to the Superuser scheme. The POSIX group had the distinct advantage of being restricted to the P1003.[12] scope and terminology, which allowed a certain narrowness. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 888.220.0607 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 11:38:28 PDT